Exposed: YouPorn passwords in all their plain-text glory

More than 6,400 subscriber e-mail addresses and passwords have been retrieved …

As one of the top 100 websites in the world, the free porn video website YouPorn has a lot of subscribers. And as of late Tuesday night, at least 6,400 of those subscriber's passwords were exposed in a data dump on Pastebin that paired email addresses with plain text passwords. The list of YouPorn logins is thought to have been captured from a public-facing server, leaving YouPorn a bigger share of the blame for permitting lazy security.

Naturally, this creates a problem for thousands of people who may want to keep their enthusiasm for erotica secret, and having an e-mail address connected with the site is certainly a breach of privacy on a grand scale. Even if those affected don't care who knows they frequent X-rated sites, there's still the danger that someone will use the plain-text password to access other accounts with more important information in them, as people tend to use the same passwords to login to multiple different Websites.

It appears that the dump is the work of an unknown hacker. While YouPorn appears to have shut down the breached server, the damage is largely done. Portions of the list have been published around the Internet, and analysis of the list is taking all kinds of permutations. OZ Dump Centa divvied up the e-mail addresses by provider (the largest portion of YouPorn accounts were linked to Hotmail addresses, followed by Gmail). Technology researcher Ashkan Soltani made a word cloud of the most popular stolen passwords. While YouPorn has not made a public statement about the breach, the data leak is a reminder that passwords should never be repeated across logins for different sites.

Anyone else take a look on that tag cloud? It seems incredible to me that baronerossosofim123456789 would even register in it. Either several people used that, or qwerty123 and friends are even more common than the tags suggest.Either way: wtf!?

Anyone else take a look on that tag cloud? It seems incredible to me that baronerossosofim123456789 would even register in it. Either several people used that, or qwerty123 and friends are even more common than the tags suggest.Either way: wtf!?

Anyone else take a look on that tag cloud? It seems incredible to me that baronerossosofim123456789 would even register in it. Either several people used that, or qwerty123 and friends are even more common than the tags suggest.Either way: wtf!?

I didn't verify against the original data but looking at the tag cloud inspired my bots comment. Either that, or the "big" words on the cloud were on the order of some stupidly small number like.... 6.

Yes and also easy to figure out. You're basically betting your passwords are hashed (in case the site is hacked) and all the operators for sites where you use this pattern are honest (and don't store your clear text passwords somewhere.)

It is more secure than the same password as it requires human intervention (or a somewhat sophisticated algorithm) to figure out, but not by much.

Why wouldn't you just combine the domain name and a constant, then hash them for real? Or use one of the hundreds of tools that do that for you? No pattern, no crackability, and most of the browser-based tools require little more than a right-click (or even auto-fill).

idea00 wrote:

Yes and also easy to figure out. You're basically betting your passwords are hashed (in case the site is hacked) and all the operators for sites where you use this pattern are honest (and don't store your clear text passwords somewhere.)

It is more secure than the same password as it requires human intervention (or a somewhat sophisticated algorithm) to figure out, but not by much.

On the other hand, unless someone is specifically stalking YOU and they have at least 2-3 exposed passwords to start from, there is no pattern. Everyone who uses these lists just grabs the passwords and tries to log in on as many other sites as possible with it. The best safety by far is using different passwords on different sites, no matter how brain-dead they are - consider what attacks you're actually defending against is a crypto mantra.

If it's a single worded website I use the first two letters. It's easy trust me.

Here is what I do.

Lastpass.com

The end.

Roboform for me. The form filling and android sync work great too.

My wife and I share an account so all our pc's are synced with the same passwords which are all generated by roboform using random passwords like "nncKuxPS5vA0". I don't even know my passwords to most sites. I have over 300 logins all with different passwords using this system. Just have to make sure the master password is never lost or compromised.

If it's a single worded website I use the first two letters. It's easy trust me.

Here is what I do.

Lastpass.com

The end.

Roboform for me. The form filling and android sync work great too.

My wife and I share an account so all our pc's are synced with the same passwords which are all generated by roboform using random passwords like "nncKuxPS5vA0". I don't even know my passwords to most sites. I have over 300 logins all with different passwords using this system. Just have to make sure the master password is never lost or compromised.

Yup exactly. Make a really strong master password, and forget about the rest. Of course, there are a few sites that I may need to access on a PC without lastpass, so I have a couple sites with passwords I do know, but lastpass knows them too, so I rarely need to fill them in.

When you go to a site, roboform knows where you are and offers to fill in the password for you. We each have our own favorites in our browsers so that's how I get to the sites. I don't really go anywhere that my wife would find questionable and if I did, it would probably just get lost in the list anyways. If I was still 18 I might maintain my own list but pushing 40 with 4 kids, I don't really have time for too much nonsense.

Not saying I've never visit objectionable sites but I don't make accounts there.

I have a robust search engine that allows me to find any manner of pornography on the web without creating a user name and password. It's called Google.

You need an account to post videos or comment. And if there's one thing the internet proves, it's that everyone loves to put their two cents in.

"Everyone loves to put their two cents in" <-- the stupid facebook crowd perhaps, but you've been living under a rock if you think you need to sign up for an account or leave a comment just to score some porn.

But then again, probably no-one is going to care about their youporn account being hacked. Why risk exposing your password scheme for that? It seems very possible to crack your scheme with a little luck.

I have a weak password for a lot of services that I use anonymously (and with throwaway email addresses), including ars. I reserve strong passwords for business, banking and accounts connected to my real-life reputation.

I noticed that some pretty clever individual passwords are pretty big in the word cloud. I looked at the password list and it turns out there are a bunch of duplicate entries (including mistyped addresses that apparently weren't even syntax-checked!). Interestingly enough, these people have apparently tried to sign up multiple times, eventually using different addresses. By using the same unique password, these addresses are now linked together. In many cases spam addresses are thus linked to real names.

This also means that the word cloud is misrepresentative in its current form.

And man, would it be easy to ruin someone's reputation by creating an email address in their name and signing up to a lot of shady websites... Oh ye of unique names ...

As for the discussion on password strength, I suggest one of two solutions:

1) 1Password (generated passwords, plugs into all browsers, syncs with my iPhone app using Dropbox), or a similar program of your choosing.2) http://xkcd.com/936/"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."